Page 1 Prestige 334 Broadband Router with Firewall User’s Guide Version 3.60 12/2004...
Page 3: Federal Communications Commission (Fcc) Interference Statement
Prestige 334 User’s Guide Federal Communications Commission (FCC) Interference This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 4: Zyxel Limited Warranty
ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating...
Page 5: Zyxel Limited Warranty
Prestige 334 User’s Guide ZyXEL Limited Warranty...
Page 6: Customer Support
+46 31 744 7701 +358 9 4780 8411 www.zyxel.fi +358 9 4780 8448 Prestige 334 User’s Guide REGULAR MAIL ZyXEL Communications Corp. 6 Innovation Road II Science Park Hsinchu 300 Taiwan ZyXEL Communications Inc. 1130 N. Miller St. Anaheim CA 92806-2001 U.S.A.
Page 7: Customer Support
Prestige 334 User’s Guide a. “+” is the (prefix) number you enter to make an international telephone call. Customer Support...
Page 9: Table Of Contents
Copyright ... 2 Federal Communications Commission (FCC) Interference Statement ... 3 ZyXEL Limited Warranty... 4 Customer Support... 6 Preface ... 30 Chapter 1 Getting to Know Your Prestige ... 32 1.1 Prestige Internet Security Gateway Overview ...32 1.2 Prestige Features ...32 1.2.1 Physical Features ...32 1.2.1.1 10/100M Auto-negotiating Ethernet/Fast Ethernet Interface(s) ...32 1.2.1.2 Auto-crossover 10/100 Mbps Ethernet Interface(s) ...32...
Page 10 Prestige 334 User’s Guide 1.2.2.17 Port Forwarding ...35 1.2.2.18 DHCP (Dynamic Host Configuration Protocol) ...35 1.2.2.19 Full Network Management ...35 1.2.2.20 RoadRunner Support ...35 1.2.2.21 Logging and Tracing ...35 1.2.2.22 Upgrade Prestige Firmware via LAN ...36 1.2.2.23 Embedded FTP and TFTP Servers ...36 1.3 Applications for the Prestige ...36 1.3.1 Secure Broadband Internet Access via Cable or DSL Modem ...36 1.3.2 VPN Application ...36...
Page 11 4.5 Configuring Password ...60 4.6 Configuring Time Setting ...60 Chapter 5 LAN Screens... 64 5.1 LAN Overview ...64 5.2 DHCP Setup ...64 5.2.1 IP Pool Setup ...64 5.2.2 System DNS Servers ...64 5.3 LAN TCP/IP ...64 5.3.1 Factory LAN Defaults ...64 5.3.2 IP Address and Subnet Mask ...65 5.3.3 RIP Setup ...65 5.3.4 Multicast ...65...
Page 12 Prestige 334 User’s Guide 7.3.1 Default Server IP Address ...91 7.3.2 Port Forwarding: Services and Port Numbers ...91 7.3.3 Configuring Servers Behind SUA (Example) ...92 7.4 Configuring SUA Server ...93 7.5 Configuring Address Mapping ...95 7.5.1 Configuring Address Mapping ...96 7.6 Trigger Port Forwarding ...98 7.6.1 Trigger Port Forwarding Example ...98 7.6.2 Two Points To Remember About Trigger Ports ...99...
Page 13 Chapter 11 Firewall... 126 11.1 Introduction ...126 11.1.1 What is a Firewall? ...126 11.1.2 Stateful Inspection Firewall..126 11.1.3 About the Prestige Firewall ...126 11.1.4 Guidelines For Enhancing Security With Your Firewall ...127 11.2 Firewall Settings Screen ...127 11.3 The Firewall, NAT and Remote Management ...129 11.3.1 LAN-to-WAN rules ...129 11.3.2 WAN-to-LAN rules ...129 11.4 Services ...130...
Page 14 Prestige 334 User’s Guide 14.1.3.1 Encryption ...150 14.1.3.2 Data Confidentiality ...151 14.1.3.3 Data Integrity ...151 14.1.3.4 Data Origin Authentication ...151 14.1.4 VPN Applications ...151 14.2 IPSec Architecture ...151 14.2.1 IPSec Algorithms ...152 14.2.2 Key Management ...152 14.3 Encapsulation ...152 14.3.1 Transport Mode ...153 14.3.2 Tunnel Mode ...153 14.4 IPSec and NAT ...153 Chapter 15...
Page 15 15.17.2 Telecommuters Using Unique VPN Rules Example ...181 15.18 VPN and Remote Management ...182 Chapter 16 Centralized Logs ... 184 16.1 View Log ...184 16.2 Log Settings ...186 Chapter 17 Maintenance ... 190 17.1 Maintenance Overview ...190 17.2 Status Screen ...190 17.2.1 System Statistics ...192 17.3 DHCP Table Screen ...192 17.4 F/W Upload Screen ...193...
Page 16 Prestige 334 User’s Guide Chapter 21 Menu 3 LAN Setup ... 212 21.1 LAN Setup ...212 21.1.1 General Ethernet Setup ...212 21.2 Protocol Dependent Ethernet Setup ...213 21.3 TCP/IP Ethernet Setup and DHCP ...213 21.3.1 IP Alias Setup ...215 Chapter 22 Internet Access ...
Page 17 25.5 General NAT Examples ...244 25.5.1 Example 1: Internet Access Only ...245 25.5.2 Example 2: Internet Access with an Inside Server ...245 25.5.3 Example 3: Multiple Public IP Addresses With Inside Servers ...246 25.5.4 Example 4: NAT Unfriendly Application Programs ...250 25.6 Configuring Trigger Port Forwarding ...252 Chapter 26 Enabling the Firewall ...
Page 18 Prestige 334 User’s Guide 29.3.1.1 CDR ...279 29.3.1.2 Packet triggered ...279 29.3.1.3 Filter log ...280 29.3.1.4 PPP log ...280 29.3.1.5 Firewall log ...281 29.3.2 Call-Triggering Packet ...281 29.4 Diagnostic ...282 29.4.1 WAN DHCP ...283 Chapter 30 Firmware and Configuration File Maintenance ... 286 30.1 Filename Conventions ...286 30.2 Backup Configuration ...287 30.2.1 Backup Configuration ...287...
Page 19 Chapter 32 Remote Management ... 306 32.1 Remote Management ...306 32.1.1 Remote Management Limitations ...307 Chapter 33 Call Scheduling ... 310 33.1 Introduction to Call Scheduling ...310 Chapter 34 VPN/IPSec Setup ... 314 34.1 VPN/IPSec Overview ...314 34.2 IPSec Summary Screen ...315 34.3 IKE Setup ...321 34.4 Manual Setup ...323 34.4.0.1 Active Protocol ...324...
Page 20 Prestige 334 User’s Guide Appendix H TMSS ... 356 Appendix I Triangle Route ... 360 Table of Contents...
Page 21 Prestige 334 User’s Guide List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ... 36 Figure 2 VPN Application ... 37 Figure 3 Change Password Screen ... 39 Figure 4 The MAIN MENU Screen of the Web Configurator ... 40 Figure 5 Wizard 1: General Setup ...
Page 22 Prestige 334 User’s Guide Figure 37 Static Route: Edit ... 104 Figure 38 Configuring UPnP ... 108 Figure 39 Service Settings ... 117 Figure 40 Virus Protection ... 119 Figure 41 Parental Controls License Status ... 121 Figure 42 Parental Controls ... 122 Figure 43 Parental Controls Statistics ...
Page 23 Prestige 334 User’s Guide Figure 80 Network Temporarily Disconnected ... 195 Figure 81 Maintenance Configuration ... 196 Figure 82 Configuration Restore Successful ... 197 Figure 83 Temporarily Disconnected ... 197 Figure 84 Configuration Restore Error ... 198 Figure 85 Factory Defaults ... 198 Figure 86 System Restart ...
Page 24 Prestige 334 User’s Guide Figure 123 Menu 15.2.1 Specifying an Inside Server ... 246 Figure 124 NAT Example 3 ... 247 Figure 125 NAT Example 3: Menu 11.3 ... 248 Figure 126 Example 3: Menu 15.1.1.1 ... 249 Figure 127 Example 3: Final Menu 15.1.1 ... 249 Figure 128 Example 3: Menu 15.2 ...
Page 25 Prestige 334 User’s Guide Figure 166 Valid Commands ... 299 Figure 167 Menu 24.9 System Maintenance : Call Control ... 299 Figure 168 Budget Management ... 300 Figure 169 Menu 24.9.2 - Call History ... 301 Figure 170 Menu 24: System Maintenance ... 302 Figure 171 Menu 24.10 System Maintenance: Time and Date Setting ...
Page 26 Prestige 334 User’s Guide List of Figures...
Page 27 Prestige 334 User’s Guide List of Tables Table 1 Screens Summary ... 41 Table 2 Wizard 2: Ethernet Encapsulation ... 46 Table 3 Wizard 2: PPPoE Encapsulation ... 48 Table 4 Wizard 2: PPTP Encapsulation ... 49 Table 5 Private IP Address Ranges ... 50 Table 6 Example of Network Properties for LAN Servers with Fixed IP Addresses ...
Page 28 Prestige 334 User’s Guide Table 37 Content Filter ... 135 Table 38 Remote Management: WWW ... 140 Table 39 Remote Management: Telnet ... 141 Table 40 Remote Management: FTP ... 142 Table 41 SNMP Traps ... 144 Table 42 Remote Management: SNMP ... 145 Table 43 Remote Management: DNS ...
Page 29 Prestige 334 User’s Guide Table 80 Applying NAT in Menus 4 & 11.3 ... 238 Table 81 SUA Address Mapping Rules ... 240 Table 82 Menu 15.1.1 First Set ... 242 Table 83 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set ... 243 Table 84 Menu 15.3 Trigger Port Setup ...
Page 30 Prestige 334 User’s Guide List of Tables...
Page 31: Preface
Congratulations on your purchase of the Prestige 334 Broadband Router with Firewall. This manual is designed to guide you through the configuration of your Prestige for its various applications. This manual may refer to the Prestige 334 or Broadband Router with Firewall as the Prestige. About This User's Guide This User’s Guide is designed to guide you through the configuration of your Prestige using the web configurator or the SMT.
Page 32: User Guide Feedback
Help us help you! E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you! Syntax Conventions •...
Page 33: Getting To Know Your Prestige
Getting to Know Your Prestige This chapter introduces the main features and applications of the Prestige. 1.1 Prestige Internet Security Gateway Overview The Prestige is the ideal secure gateway for all data passing between the Internet and LAN’s. By integrating NAT, firewall, media bandwidth management and VPN capability, ZyXEL’s Prestige is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Page 34: Reset Button
Prestige 334 User’s Guide 1.2.1.5 Reset Button The Prestige reset button is built into the rear panel. Use this button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33. 1.2.2 Non-Physical Features 1.2.2.1 Trend Micro Security Services Trend Micro Security Services (TMSS) are a range of services...
Page 35: Universal Plug And Play (Upnp)
1.2.2.7 Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the Prestige and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network. 1.2.2.8 Call Scheduling Configure call time periods to restrict and allow access for users on remote nodes.
Page 36: Snmp
Prestige 334 User’s Guide 1.2.2.14 SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Page 37: Upgrade Prestige Firmware Via Lan
• Unix syslog facility support. • Firewall logs. • Content filtering logs. 1.2.2.22 Upgrade Prestige Firmware via LAN The firmware of the Prestige can be upgraded via the LAN (refer to Maintenance- F/W Upload Screen). 1.2.2.23 Embedded FTP and TFTP Servers The Prestige’s embedded FTP and TFTP Servers enable fast firmware upgrades as well as configuration file backups and restoration.
Page 38: Figure 2 Vpn Application
Prestige 334 User’s Guide Figure 2 VPN Application Chapter 1 Getting to Know Your Prestige...
Page 39: Introducing The Web Configurator
This chapter describes how to access the Prestige web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The embedded web configurator allows you to manage the Prestige from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
Page 40: Resetting The Prestige
Prestige 334 User’s Guide Figure 3 Change Password Screen You should now see the MAIN MENU screen) 2.3 Resetting the Prestige If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the Prestige to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to “1234”.
Page 41: Navigation Panel
• Click to view the web configurator in the language of your choice. • Click LOGOUT at any time to exit the web configurator. • Click MAINTENANCE to view information about your Prestige or upgrade configuration/firmware files. Maintenance includes Status (Statistics), DHCP Table, F/ W (firmware) Upload, Configuration (Backup, Restore, Defaults) and Restart.
Page 42: Table 1 Screens Summary
Prestige 334 User’s Guide The following table describes the sub-menus. Table 1 Screens Summary LINK WIZARD SETUP SYSTEM General DDNS Password Time Zone Static DHCP IP Alias Route WAN ISP WAN IP WAN MAC Traffic Redirect SUA/NAT SUA Server Address Mapping Trigger Port STATIC ROUTE...
Page 43 Table 1 Screens Summary LINK REMOTE MGMT TELNET SNMP Security Summary Rule Setup SA Monitor Global Setting UPnP UPnP TMSS Service Settings Antivirus Protection Parental Controls LOGS View Log Log Settings MAINTENANCE Status DHCP Table Any IP F/W Upload Configuration Restart LOGOUT Chapter 2 Introducing the Web Configurator...
Page 44 Prestige 334 User’s Guide Chapter 2 Introducing the Web Configurator...
Page 45: Chapter 3 Wizard Setup
This chapter provides information on the Wizard Setup screens in the web configurator. 3.1 Wizard Setup Overview The web configurator’s setup wizard helps you configure your device to access the Internet. The second screen has three variations depending on what encapsulation type you use. Refer to your ISP checklist in the Quick Start Guide to know what to enter in each field.
Page 46: Wizard Setup: Screen 2
Prestige 334 User’s Guide Figure 5 Wizard 1: General Setup 3.3 Wizard Setup: Screen 2 The Prestige offers three choices of encapsulation. They are Ethernet, PPP over Ethernet or PPTP. 3.3.1 Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet. Chapter 3 Wizard Setup...
Page 47: Figure 6 Wizard 2: Ethernet Encapsulation
Figure 6 Wizard 2: Ethernet Encapsulation The following table describes the labels in this screen. Table 2 Wizard 2: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 48: Pppoe Encapsulation
Prestige 334 User’s Guide 3.3.2 PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) draft standard specifying how a host personal computer interacts with a broadband modem (for example DSL, cable, wireless, etc.) to achieve access to high-speed data networks.
Page 49: Pptp Encapsulation
Figure 7 Wizard 2: PPPoE Encapsulation The following table describes the labels in this screen. Table 3 Wizard 2: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose PPP over Ethernet from the pull-down list box. PPPoE forms a dial-up connection.
Page 50: Figure 8 Wizard 2: Pptp Encapsulation
Prestige 334 User’s Guide Refer to the appendix for more information on PPTP. Figure 8 Wizard 2: PPTP Encapsulation The following table describes the fields in this screen Table 4 Wizard 2: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box.
Page 51: Wizard Setup: Screen 3
Table 4 Wizard 2: PPTP Encapsulation LABEL DESCRIPTION Connection ID/ Enter the connection ID or connection name in this field. It must follow the "c:id" Name and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your ISP. Back Click Back to return to the previous screen.
Page 52: Dns Server Address Assignment
Prestige 334 User’s Guide Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Page 53: Figure 9 Wizard 3: Wan Setup
You can configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN. Once it is successfully configured, the address will be copied to the "rom" file (ZyNOS configuration file). It will not change unless you change the setting or upload a different "rom"...
Page 54: Basic Setup Complete
Prestige 334 User’s Guide Table 7 Wizard 3: WAN Setup LABEL Gateway IP Address System DNS Server Address Assignment (if applicable) DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 55: Figure 10 Wizard Finish
Prestige 334 User’s Guide Figure 10 Wizard Finish Well done! You have successfully set up your Prestige to operate on your network and access the Internet. Chapter 3 Wizard Setup...
Page 56 Prestige 334 User’s Guide Chapter 3 Wizard Setup...
Page 57: Chapter 4 System Screens
This chapter provides information on the System screens. 4.1 System Overview See the Wizard Setup chapter for more information on the next few screens. 4.2 Configuring General Setup Click SYSTEM to open the General screen. Chapter 4 System Screens Prestige 334 User’s Guide H A P T E R System Screens...
Page 58: Figure 11 System General Setup
Prestige 334 User’s Guide Figure 11 System General Setup The following table describes the labels in this screen. Table 8 System General Setup LABEL DESCRIPTION System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field (see the Wizard Setup chapter for how to find your computer’s name).
Page 59: Dynamic Dns
Table 8 System General Setup LABEL DESCRIPTION Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh. 4.3 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.).
Page 60: Figure 12 Ddns
Prestige 334 User’s Guide Figure 12 DDNS The following table describes the labels in this screen. Table 9 DDNS LABEL Active Service Provider DDNS Type Host Names 1~3 User Password Enable Wildcard Off Line Edit Update IP Address: Server Auto Detect User Specify IP Addr DESCRIPTION...
Page 61: Configuring Password
Table 9 DDNS LABEL Apply Reset 4.5 Configuring Password To change your Prestige’s password (recommended), click SYSTEM, then the Password tab. The screen appears as shown. This screen allows you to change the Prestige’s password. Figure 13 Password The following table describes the labels in this screen. Table 10 Password LABEL Old Password...
Page 62: Figure 14 Time Setting
Prestige 334 User’s Guide Figure 14 Time Setting The following table describes the labels in this screen. Table 11 Time Setting LABEL Use Time Server when Bootup Time Server Address Current Time New Time Current Date DESCRIPTION Select the time service protocol that your time server sends when you turn on the Prestige.
Page 63 Table 11 Time Setting LABEL New Date Time Zone Daylight Savings Start Date End Date Apply Reset Chapter 4 System Screens DESCRIPTION This field displays the last updated date from the time server. When you select None in the Time Protocol field, enter the new date in this field and then click Apply.
Page 64 Prestige 334 User’s Guide Chapter 4 System Screens...
Page 65: Chapter 5 Lan Screens
This chapter describes how to configure LAN settings. 5.1 LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks.
Page 66: Ip Address And Subnet Mask
Prestige 334 User’s Guide • IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits) • DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured.
Page 67: Configuring Ip
224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
Page 68: Figure 15 Lan Ip
Prestige 334 User’s Guide Figure 15 LAN IP The following table describes the labels in this screen. Table 12 LAN IP LABEL DESCRIPTION DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server.
Page 69 Table 12 LAN IP LABEL First DNS Server Second DNS Server Third DNS Server LAN TCP/IP IP Address IP Subnet Mask RIP Direction RIP Version Multicast Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Page 70: Configuring Static Dhcp
Prestige 334 User’s Guide Table 12 LAN IP LABEL DESCRIPTION Allow between LAN Select this check box to forward NetBIOS packets from the LAN to the WAN and and WAN from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.
Page 71: Configuring Ip Alias
Figure 16 Static DHCP The following table describes the labels in this screen. Table 13 Static DHCP LABEL MAC Address IP Address Apply Reset 5.6 Configuring IP Alias IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface.
Page 72: Figure 17 Ip Alias
Prestige 334 User’s Guide Figure 17 IP Alias The following table describes the labels in this screen. Table 14 IP Alias LABEL DESCRIPTION IP Alias 1,2 Select the check box to configure another LAN network for the Prestige. IP Address Enter the IP address of your Prestige in dotted decimal notation.
Page 73: Chapter 6 Wan Screens
This chapter describes how to configure WAN settings. 6.1 WAN Overview See the Wizard Setup chapter for more information on the fields in the WAN screens. 6.2 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost".
Page 74: Configuring Wan Isp
Prestige 334 User’s Guide Figure 18 WAN: Route The following table describes the labels in this screen. Table 15 WAN: Route LABEL DESCRIPTION WAN Traffic The default WAN connection is "1' as your broadband connection via the WAN port Redirect should always be your preferred method of accessing the WAN.
Page 75: Pppoe Encapsulation
Figure 19 Ethernet Encapsulation The following table describes the labels in this screen. Table 16 Ethernet Encapsulation LABEL DESCRIPTION Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Service Type Choose from Standard, Telstra (RoadRunner Telstra authentication method), RR-Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner Toshiba authentication method) or Telia Login.
Page 76 Prestige 334 User’s Guide For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius). PPPoE provides a login and authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.
Page 77: Figure 20 Pppoe Encapsulation
Figure 20 PPPoE Encapsulation The following table describes the labels in this screen. Table 17 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPP over Ethernet choice is for a dial-up connection using PPPoE. The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e.
Page 78: Pptp Encapsulation
Prestige 334 User’s Guide 6.4.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.
Page 79: Configuring Wan Ip
Table 18 PPTP Encapsulation LABEL Retype to Confirm Nailed-up Connection Idle Timeout PPTP Configuration My IP Address My IP Subnet Mask Server IP Address Connection ID/Name Apply Reset 6.5 Configuring WAN IP To change your Prestige’s WAN IP settings, click WAN, then the WAN IP tab. This screen varies according to the type of encapsulation you select.
Page 80: Figure 22 Wan: Ip
Prestige 334 User’s Guide Figure 22 WAN: IP The following table describes the labels in this screen. Table 19 WAN: IP LABEL WAN IP Address Assignment Get automatically from Use fixed IP address My WAN IP Address My WAN IP Subnet Mask (Ethernet only) Remote IP Address Gateway/Remote IP...
Page 81 Table 19 WAN: IP LABEL Network Address Translation Metric (PPPoE and PPTP only) Private (PPPoE and PPTP only) RIP Direction RIP Version Chapter 6 WAN Screens DESCRIPTION Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 82: Configuring Wan Mac
Prestige 334 User’s Guide Table 19 WAN: IP LABEL Multicast Windows Networking (NetBIOS over TCP/IP): NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Page 83: Traffic Redirect
Otherwise, click Spoof this computer's MAC address - IP Address and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file.
Page 84: Configuring Traffic Redirect
Prestige 334 User’s Guide Figure 25 Traffic Redirect LAN Setup 6.8 Configuring Traffic Redirect To change your Prestige’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown. Figure 26 WAN: Traffic Redirect The following table describes the labels in this screen. Table 20 Traffic Redirect LABEL DESCRIPTION...
Page 85 Table 20 Traffic Redirect LABEL DESCRIPTION Metric This field sets this route's priority among the routes the Prestige uses. The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1"...
Page 86 Prestige 334 User’s Guide Chapter 6 WAN Screens...
Page 87: Network Address Translation (Nat) Screens
Network Address Translation This chapter discusses how to configure NAT on the Prestige. 7.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.
Page 88: What Nat Does
Prestige 334 User’s Guide 7.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
Page 89: Nat Application
Figure 27 How NAT Works 7.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Prestige can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Chapter 7 Network Address Translation (NAT) Screens Prestige 334 User’s Guide...
Page 90: Nat Mapping Types
Prestige 334 User’s Guide Figure 28 NAT Application With IP Alias 7.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address.
Page 91: Using Nat
The following table summarizes these types. Table 22 NAT Mapping Types TYPE One-to-One Many-to-One (SUA/PAT) Many-to-Many Overload Many One-to-One Server 7.2 Using NAT 7.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 92: Default Server Ip Address
Prestige 334 User’s Guide You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers.
Page 93: Configuring Servers Behind Sua (Example)
The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Please also refer to the Supporting CD for more examples and details on SUA/NAT. Table 23 Services and Port Numbers SERVICES ECHO FTP (File Transfer Protocol)
Page 94: Configuring Sua Server
Prestige 334 User’s Guide Figure 29 Multiple Servers Behind NAT Example 7.4 Configuring SUA Server Click SUA/NAT to open the SUA Server screen. Refer to Table 23 for port numbers commonly used for particular services. Note: If you do not assign a Default Server IP Address, the Prestige discards all packets received for ports that are not specified in this screen or remote management.
Page 95: Figure 30 Sua/Nat Setup
Figure 30 SUA/NAT Setup The following table describes the labels in this screen. Table 24 SUA/NAT Setup LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP Address, the Prestige discards all packets received for ports that are not specified in this screen or remote management.
Page 96: Configuring Address Mapping
Prestige 334 User’s Guide 7.5 Configuring Address Mapping Ordering your rules is important because the Prestige applies the rules in the order that you specify. When a rule matches the current packet, the Prestige takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
Page 97: Configuring Address Mapping
Table 25 Address Mapping LABEL DESCRIPTION Type 1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 98: Figure 32 Address Mapping Edit
Prestige 334 User’s Guide Figure 32 Address Mapping Edit The following table describes the labels in this screen. Table 26 Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address.
Page 99: Trigger Port Forwarding
7.6 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN).
Page 100: Two Points To Remember About Trigger Ports
Prestige 334 User’s Guide 7.6.2 Two Points To Remember About Trigger Ports 1 Trigger events only happen on data that is going coming from inside the Prestige and going to the outside. 2 If an application needs a continuous data stream, that port (range) will be tied up so that another computer on the LAN can’t trigger it.
Page 101 Table 27 Trigger Port LABEL DESCRIPTION Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Prestige forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 102 Prestige 334 User’s Guide Chapter 7 Network Address Translation (NAT) Screens...
Page 103: Static Route Screens
This chapter shows you how to configure static routes for your Prestige. 8.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the Prestige has no knowledge of the networks beyond. For instance, the Prestige knows about network N2 in the following figure through remote node router R1.
Page 104: Configuring Route Entry
Prestige 334 User’s Guide Figure 36 Static Route The following table describes the labels in this screen. Table 28 Static Route LABEL DESCRIPTION Number of an individual static route. Name Name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination.
Page 105: Figure 37 Static Route: Edit
Figure 37 Static Route: Edit The following table describes the labels in this screen. Table 29 Static Route: Edit LABEL DESCRIPTION Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Active This field allows you to activate/deactivate this static route.
Page 106 Prestige 334 User’s Guide Chapter 8 Static Route Screens...
Page 107: Chapter 9 Upnp
This chapter introduces the Universal Plug and Play feature. 9.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Page 108: Upnp And Zyxel
Prestige 334 User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 9.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™...
Page 109: Installing Upnp In Windows Example
Figure 38 Configuring UPnP The following table describes the labels in this screen. Table 30 Configuring UPnP LABEL Enable the Universal Plug and Play (UPnP) feature Allow users to make configuration changes through UPnP Allow UPnP to pass through firewall Apply Reset 9.4 Installing UPnP in Windows Example...
Page 110: Installing Upnp In Windows Me
Prestige 334 User’s Guide 9.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start and Control Panel. Double- click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box.
Page 111: Installing Upnp In Windows Xp
9.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Page 112: Using Upnp In Windows Xp Example
Prestige 334 User’s Guide 9.5 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device.
Page 113: Auto-Discover Your Upnp-Enabled Network Device
9.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created.
Page 114: Web Configurator Easy Access
Prestige 334 User’s Guide 5 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray 6 Double-click the icon to display your current Internet connection status. 9.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first.
Page 115: Web Configurator Easy Access
1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke.
Page 116 Prestige 334 User’s Guide Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network.
Page 117: Trend Micro Security Services
Trend Micro Security Services This chapter contains information about configuring Trend Micro Security Services settings, virus protection, parental controls and customization. 10.1 Trend Micro Security Service Overview Trend Micro Security Services (TMSS) are a range of services including virus protection and parental controls designed to address the security needs of computers on a network that access the Internet via broadband routers.
Page 118: Figure 39 Service Settings
Prestige 334 User’s Guide Figure 39 Service Settings The following table describes the labels in this screen. Table 31 Service Settings LABEL Enable Trend Micro Security Services Security Services Display Interval Automatically display TMSS Web page every: DESCRIPTION Select the checkbox to enable Trend Micro Security Services on your Prestige.
Page 119: Virus Protection
Table 31 Service Settings LABEL Exception List Computer(s) that will display Trend Micro Home Network Security Services: Computer(s) to exclude: Apply Reset 10.3 Virus Protection This screen allows you to check the computers in the network for Trend Micro Internet Security.
Page 120: Figure 40 Virus Protection
Prestige 334 User’s Guide Figure 40 Virus Protection The following table describes the labels in this screen. Table 32 Virus Protection LABEL Check for Trend Micro Internet Security Automatically check for update components Check for update components every Scan engine version Virus pattern version Client Antivirus Protection Status...
Page 121: Parental Controls
Table 32 Virus Protection LABEL Computer Name Antivirus Software Virus Pattern Scan Engine Status Apply Reset 10.5 Parental Controls Parental Controls lets a parent (LAN administrator) control a LAN user's Internet access privileges by blocking specified categories. You can define time periods and days during which Parental Controls are enabled and block Web pages depending on which filter categories they are included.
Page 122: Figure 41 Parental Controls License Status
Prestige 334 User’s Guide Figure 41 Parental Controls License Status If you have registered with TMSS and your license is valid, you can configure the Parental Controls configuration screen. Chapter 10 Trend Micro Security Services...
Page 123: Figure 42 Parental Controls
Figure 42 Parental Controls The following table describes the labels in this screen. Table 33 Parental Controls LABEL Enable Parental Controls Blocking Schedule Day to Block Chapter 10 Trend Micro Security Services DESCRIPTION Select the check box to enable this feature on your Prestige. Note: The Prestige automatically checks the status of your Trend Micro license.
Page 124 Prestige 334 User’s Guide Table 33 Parental Controls LABEL Time of Day to Block (24- Hour Format) Select Categories Pornography Illegal/Questionable Violence/Hate/Racism Illegal Drugs Alcohol/Tobacco Gambling Abortion Exception List Enforce Parental Control policies for all computers Include specified address ranges in the Parental Control enforcement.
Page 125: Parental Controls Statistics
Table 33 Parental Controls LABEL Exclude specified address ranges from the Parental Control enforcement. Available IP Addresses Selected IP Addresses Apply Show Statistics Reset 10.6.1 Parental Controls Statistics The Prestige can display a record of attempted entries to Web pages or actual entries to Web pages from a list of content filtering categories.
Page 126: Figure 43 Parental Controls Statistics
Prestige 334 User’s Guide Figure 43 Parental Controls Statistics The following table describes the labels in this screen. Table 34 Parental Controls Statistics LABEL Category Access Attempts Actual Accesses Reset Refresh DESCRIPTION All categories are displayed including; Pornography, Illegal/Questionable, Violence/Hate/Racism, Illegal Drugs, Alcohol/Tobacco, Gambling and Abortion.
Page 127: Chapter 11 Firewall
This chapter gives some background information on firewalls and explains how to get started with the Prestige firewall. 11.1 Introduction 11.1.1 What is a Firewall? Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks.
Page 128: Guidelines For Enhancing Security With Your Firewall
Prestige 334 User’s Guide The Prestige has one Ethernet WAN port and four Ethernet LAN ports, which are used to physically separate the network into two areas.The WAN (Wide Area Network) port attaches to the broadband (cable or DSL) modem to the Internet. The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world.
Page 129: Figure 44 Firewall: Settings
Figure 44 Firewall: Settings The following table describes the labels in this screen. Table 35 Firewall: Settings LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The Prestige performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Select this check box to have the Prestige firewall ignore the use of triangle route Route...
Page 130: The Firewall, Nat And Remote Management
Prestige 334 User’s Guide 11.3 The Firewall, NAT and Remote Management Figure 45 Firewall Rule Directions 11.3.1 LAN-to-WAN rules LAN-to-WAN rules are local network to Internet firewall rules. The default is to forward all traffic from your local network to the Internet. How can you block certain LAN to WAN traffic? You may choose to block certain LAN-to-WAN traffic in the Services screen (click the Services tab).
Page 131: Services
• Configuring WAN or LAN & WAN access for services in the Remote Management screens or SMT menus. When you allow remote management from the WAN, you are actually configuring WAN-to-WAN/Prestige firewall rules. WAN-to-WAN/Prestige firewall rules are Internet to the Prestige WAN interface firewall rules. The default is to block all such traffic.
Page 132: Figure 46 Firewall: Service
Prestige 334 User’s Guide Figure 46 Firewall: Service The following table describes the labels in this screen. Table 36 Firewall: Service LABEL Enable Services Blocking Available Service Blocked Service Custom Port Type Port Number Delete DESCRIPTION Select this check box to enable this feature. This is a list of pre-defined services (ports) you may prohibit your LAN computers from using.
Page 133 Table 36 Firewall: Service LABEL Clear All Day to Block: Time of Day to Block (24-Hour Format) Apply Reset Chapter 11 Firewall DESCRIPTION Click Clear All to empty the Blocked Service. Select a check box to configure which days of the week (or everyday) you want the content filtering to be active.
Page 134 Prestige 334 User’s Guide Chapter 11 Firewall...
Page 135: Chapter 12 Content Filtering
This chapter provides a brief overview of content filtering using the embedded WebGUI. 12.1 Introduction to Content Filtering Internet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords and should not be confused with packet filtering via SMT menu 21.1.
Page 136: Figure 47 Content Filter
Prestige 334 User’s Guide Figure 47 Content Filter The following table describes the labels in this screen. Table 37 Content Filter LABEL DESCRIPTION Restrict Web Select the box(es) to restrict a feature. When you download a page containing a Features restricted feature, that part of the web page will appear blank or grayed out.
Page 137 Table 37 Content Filter LABEL DESCRIPTION Keyword Type a keyword in this field. You may use any character (up to 64 characters). Wildcards are not allowed. You can also enter a numerical IP address. Keyword List This list displays the keywords already added. Click Add after you have typed a keyword.
Page 138 Prestige 334 User’s Guide Chapter 12 Content Filtering...
Page 139: Remote Management Screens
Remote Management Screens This chapter provides information on the Remote Management screens. 13.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. You may manage your Prestige from a remote location via: •...
Page 140: Remote Management And Nat
Prestige 334 User’s Guide 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately. 4 There is already another remote management session with an equal or higher priority running.
Page 141: Configuring Telnet
Figure 48 Remote Management: WWW The following table describes the labels in this screen. Table 38 Remote Management: WWW LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the Prestige using this service.
Page 142: Configuring Telnet
Prestige 334 User’s Guide Figure 49 Telnet Configuration on a TCP/IP Network 13.4 Configuring TELNET Click REMOTE MGMT and the TELNET tab to display the screen as shown. Figure 50 Remote Management: Telnet The following table describes the labels in this screen. Table 39 Remote Management: Telnet LABEL Server Port...
Page 143: Configuring Ftp
Table 39 Remote Management: Telnet LABEL Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. 13.5 Configuring FTP You can upload and download the Prestige’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details.
Page 144: Snmp
Prestige 334 User’s Guide 13.6 SNMP Simple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Page 145: Supported Mibs
SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent. •...
Page 146: Figure 53 Remote Management: Snmp
Prestige 334 User’s Guide Figure 53 Remote Management: SNMP The following table describes the labels in this screen. Table 42 Remote Management: SNMP LABEL SNMP Configuration Get Community Set Community Trusted Host Trap Community Destination SNMP Service Port Service Access DESCRIPTION Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station.
Page 147: Configuring Dns
Table 42 Remote Management: SNMP LABEL Secured Client IP Address Apply Reset 13.7 Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to the chapter on Wizard Setup for background information. To change your Prestige’s DNS settings, click REMOTE MGMT, then the DNS tab.
Page 148: Configuring Security
Prestige 334 User’s Guide Table 43 Remote Management: DNS LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. 13.8 Configuring Security To change your Prestige’s security settings, click REMOTE MGMT, then the Security tab. The screen appears as shown.
Page 149 Table 44 Security LABEL DESCRIPTION Do not respond to Select this option to prevent hackers from finding the Prestige by probing for requests for unused ports. If you select this option, the Prestige will not respond to port unauthorized request(s) for unused ports, thus leaving the unused ports and the Prestige unseen. services By default this option is not selected and the Prestige will reply with an ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a TCP Reset...
Page 150 Prestige 334 User’s Guide Chapter 13 Remote Management Screens...
Page 151: Chapter 14 Introduction To Ipsec
This chapter introduces the basics of IPSec VPNs 14.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 152: Data Confidentiality
Prestige 334 User’s Guide Figure 56 Encryption and Decryption 14.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 14.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Page 153: Ipsec Algorithms
Figure 57 IPSec Architecture 14.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
Page 154: Transport Mode
Prestige 334 User’s Guide Figure 58 Transport and Tunnel Mode IPSec Encapsulation 14.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 155: Table 45 Vpn And Nat
NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted.
Page 156 Prestige 334 User’s Guide Chapter 14 Introduction to IPSec...
Page 157: Chapter 15 Vpn Screens
This chapter introduces the VPN Web Configurator. See the Logs chapter for information on viewing logs and the Appendices for IPSec log descriptions. 15.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Page 158: My Ip Address
Prestige 334 User’s Guide An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted. Table 46 AH and ESP DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key.
Page 159: Dynamic Secure Gateway Address
15.4.1 Dynamic Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter 0.0.0.0 as the secure gateway’s address. In this case only the remote secure gateway can initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company network.
Page 160: Figure 60 Vpn: Summary
Prestige 334 User’s Guide Figure 60 VPN: Summary The following table describes the labels in this screen. Table 47 VPN: Summary LABEL DESCRIPTION The VPN policy index number. Active This field displays whether the VPN policy is active or not. A Y signifies that this VPN policy is active.
Page 161: Keep Alive
15.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the Prestige automatically renegotiates the tunnel when the IPSec SA lifetime period expires ( section for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on”...
Page 162: Remote Dns Server
Prestige 334 User’s Guide • Enable NAT traversal on both IPSec endpoints. In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A. 15.7.2 Remote DNS Server In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS server, you must identify that DNS server.
Page 163: Id Type And Content
15.8 ID Type and Content With aggressive negotiation mode (see Section Negotiation Mode), the Prestige identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the Prestige to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses.
Page 164: Id Type And Content Examples
Prestige 334 User’s Guide Table 49 Peer ID Type and Content Fields PEER ID TYPE CONTENT E-mail Type an e-mail address (up to 31 characters) by which to identify the remote IPSec router. The domain name or e-mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e-mail address.
Page 165: Editing Vpn Rules
15.10 Editing VPN Rules Click Edit on the Summary screen or click the Rule Setup tab to edit VPN rules. Figure 64 VPN: Rule Setup (Basic) The following table describes the labels in this screen. Table 51 VPN: Rule Setup (Basic) LABEL DESCRIPTION Active...
Page 166 Prestige 334 User’s Guide Table 51 VPN: Rule Setup (Basic) LABEL IPSec Keying Mode Select IKE or Manual from the drop-down list box. IKE provides more protection Local Address Remote Address Start Remote Address End/Mask DNS Server (for IPSec VPN) My IP Address Local ID Type Local Content...
Page 167 Table 51 VPN: Rule Setup (Basic) LABEL DESCRIPTION Secure Gateway Type the WAN IP address or the URL (up to 31 characters) of the IPSec router Address with which you're making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode field must be set to IKE).
Page 168: Ike Phases
Prestige 334 User’s Guide Table 51 VPN: Rule Setup (Basic) LABEL Authentication Algorithm Advanced Apply Reset 15.11 IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec.
Page 169: Negotiation Mode
• Choose an encryption algorithm. • Choose an authentication algorithm • Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public- key cryptography – see Section Perfect Forward Secrecy (PFS). Select None (the default) to disable PFS. Choose Tunnel mode or Transport mode. Set the IPSec SA lifetime.
Page 170: Configuring Advanced Ike Settings
Prestige 334 User’s Guide This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the Prestige. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
Page 171: Figure 66 Vpn Ike: Advanced
Prestige 334 User’s Guide Figure 66 VPN IKE: Advanced Chapter 15 VPN Screens...
Page 172: Table 52 Vpn Ike: Advanced
Prestige 334 User’s Guide The following table describes the labels in this screen. Table 52 VPN IKE: Advanced LABEL Active Keep Alive NAT Traversal IPSec Keying Mode Protocol Number Enable Replay Detection Local Address Local Port Start Local Port End Remote Address Start DESCRIPTION Select this check box to activate this VPN policy.
Page 173 Table 52 VPN IKE: Advanced LABEL Remote Address End/ Mask Remote Port Start Remote Port End DNS Server (for IPSec VPN) My IP Address Local ID Type Local Content Secure Gateway Address Peer ID Type Chapter 15 VPN Screens DESCRIPTION When the remote IP address is a single address, type it a second time here.
Page 174 Prestige 334 User’s Guide Table 52 VPN IKE: Advanced LABEL Peer Content IKE Phase 1 Negotiation Mode Encryption Algorithm Authentication Algorithm SA Life Time Key Group Pre-Shared Key IKE Phase 2 Encapsulation Mode DESCRIPTION The configuration of the peer content depends on the peer ID type. •...
Page 175: Manual Key Setup
Table 52 VPN IKE: Advanced LABEL IPSec Protocol Encryption Algorithm Authentication Algorithm SA Life Time Perfect Forward Secrecy (PFS) Basic Apply Reset 15.13 Manual Key Setup Manual key management is useful if you have problems with IKE key management. Chapter 15 VPN Screens DESCRIPTION Select ESP or AH from the drop-down list box.
Page 176: Security Parameter Index (Spi)
Prestige 334 User’s Guide 15.13.1 Security Parameter Index (SPI) An SPI is used to distinguish different SAs terminating at the same destination and using the same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The SPI (Security Parameter Index) along with a destination IP address uniquely identify a particular Security Association (SA).
Page 177: Figure 67 Setup: Manual
Figure 67 Setup: Manual The following table describes the labels in this screen. Table 53 Rule Setup: Manual LABEL Active IPSec Keying Mode Protocol Number Local Address Local Port Start Chapter 15 VPN Screens DESCRIPTION Select this check box to activate this VPN policy. Select IKE or Manual from the drop-down list box.
Page 178 Prestige 334 User’s Guide Table 53 Rule Setup: Manual LABEL Local Port End Remote Address Start Remote Address End/ Mask Remote Port Start Remote Port End DNS Server (for IPSec VPN) My IP Address Secure Gateway IP Address Encapsulation Mode Enable Replay Detection IPSec Protocol...
Page 179: Viewing Sa Monitor
Table 53 Rule Setup: Manual LABEL Encryption Algorithm Authentication Algorithm Encryption Key (Only with ESP) Authentication Key Apply Reset 15.15 Viewing SA Monitor In the web configurator, click VPN and the SA Monitor tab. Use this screen to display and manage active VPN connections.
Page 180: Configuring Global Setting
Prestige 334 User’s Guide Figure 68 SA Monitor The following table describes the labels in this screen. Table 54 SA Monitor LABEL Name Encapsulation IPSec Algorithm Previous Page (If applicable) Refresh Next Page (If applicable) 15.16 Configuring Global Setting To change your Prestige’s Global Settings, click VPN, then the Global Setting tab. The screen appears as shown.
Page 181: Telecommuter Vpn/Ipsec Examples
Figure 69 VPN: Global Setting The following table describes the labels in this screen. Table 55 VPN: Global Setting LABEL Windows Networking (NetBIOS over TCP/IP) Allow Through IP/Sec Tunnel Apply Reset 15.17 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single Prestige at headquarters from remote IPSec routers that use dynamic WAN IP addresses.
Page 182: Telecommuters Using Unique Vpn Rules Example
Prestige 334 User’s Guide Having everyone use the same pre-shared key may create a vulnerability. If the pre-shared key is compromised, all of the VPN connections using that VPN rule are at risk. A recommended alternative is to use a different VPN rule for each telecommuter and identify them by unique IDs (see the Telecommuters Using Unique VPN Rules Example section Table 56 Telecommuter and Headquarters Configuration Example...
Page 183: Vpn And Remote Management
See the following graphic for an example where three telecommuters each use a different VPN rule to initiate a VPN connection to a Prestige located at headquarters. The Prestige at headquarters identifies each by its secure gateway address (a dynamic domain name) and uses the appropriate VPN rule to establish the VPN connection.
Page 184 Prestige 334 User’s Guide Chapter 15 VPN Screens...
Page 185: Chapter 16 Centralized Logs
This chapter contains information about configuring general log settings and viewing the Prestige’s logs. Refer to the appendices for example log message explanations. 16.1 View Log The web configurator allows you to look at all of the Prestige’s logs in one location. Click the LOGS in the navigation panel to open the View Log screen.
Page 186: Figure 72 View Logs
Prestige 334 User’s Guide Figure 72 View Logs The following table describes the labels in this screen. Table 57 View Logs LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see section ) display in the drop-down list box. Select a category of logs to view;...
Page 187: Log Settings
16.2 Log Settings You can configure the Prestige’s general log settings in one location. Click the LOGS in the navigation panel and then the Log Settings tab to open the Log Settings screen. Use the Log Settings screen to configure to where the Prestige is to send logs; the schedule for when the Prestige is to send the logs and which logs and/or immediate alerts the Prestige to send.
Page 188: Figure 73 Log Settings
Prestige 334 User’s Guide Figure 73 Log Settings The following table describes the labels in this screen. Table 58 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Page 189 Table 58 Log Settings LABEL DESCRIPTION Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the Prestige sends. Not all Prestige models have this field. Send Log To The Prestige sends logs to the e-mail address specified in this field. If this field is left blank, the Prestige does not send logs via e-mail.
Page 190 Prestige 334 User’s Guide Chapter 16 Centralized Logs...
Page 191: Chapter 17 Maintenance
This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 17.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your Prestige. 17.2 Status Screen Click MAINTENANCE to open the Status screen, which you can use to monitor your Prestige.
Page 192: Figure 74 Maintenance Status
Prestige 334 User’s Guide Figure 74 Maintenance Status The following table describes the labels in this screen. Table 59 Maintenance Status LABEL DESCRIPTION System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model name identifies your device type.
Page 193: System Statistics
17.2.1 System Statistics Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable. Figure 75 Maintenance System Statistics The following table describes the labels in this screen. Table 60 Maintenance System Statistics LABEL DESCRIPTION...
Page 194: F/W Upload Screen
Prestige 334 User’s Guide Click MAINTENANCE, and then the DHCP Table tab. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP Client information (including IP Address, Host Name and MAC Address) of all network clients using the DHCP server. Figure 76 Maintenance DHCP Table The following table describes the labels in this screen.
Page 195: Preparing Your Prestige For Firmware Upload
Use the upgrade tool file with a "*.exe" extension found in the ZIP file and follow the steps to begin the firmware upgrade. 17.4.1 Preparing your Prestige for Firmware Upload 1 Change the login password of the Prestige to the factory default password of “1234”. 2 Change the IP address of the Prestige to the factory default IP address of “192.168.1.1”...
Page 196: Figure 78 Upgrade Tool
Prestige 334 User’s Guide Figure 78 Upgrade Tool If you log into your Prestige before the upgrade is complete, the following screen is displayed. Figure 79 Upload Warning 6 The Prestige automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Page 197: Configuration Screen
• 8 Log in again and check your new firmware version in the System Status screen. 17.5 Configuration Screen See the Firmware and Configuration File Maintenance chapter for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next.
Page 198: Restore Configuration
Prestige 334 User’s Guide Click Backup to save the Prestige’s current configuration to your computer 17.5.2 Restore Configuration Restore configuration allows you to upload a new or previously saved configuration file from your computer to your Prestige. Table 62 Maintenance Restore Configuration LABEL DESCRIPTION File Path...
Page 199: Back To Factory Defaults
If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. Figure 84 Configuration Restore Error 17.5.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the Prestige to its factory defaults as shown on the screen.
Page 200: Figure 86 System Restart
Prestige 334 User’s Guide Figure 86 System Restart Chapter 17 Maintenance...
Page 201: Chapter 18 Introducing The Smt
This chapter explains how to access and navigate the System Management Terminal and gives an overview of its menus. 18.1 SMT Introduction The Prestige’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. This chapter shows you how to access the SMT (System Management Terminal) menus via console port, how to navigate the SMT and how to configure SMT menus.
Page 202: Prestige Smt Menu Overview
Prestige 334 User’s Guide Figure 87 Login Screen Enter Password : **** 18.1.3 Prestige SMT Menu Overview The following figure gives you an overview of the various SMT menu screens of your Prestige. Figure 88 SMT Menu Overview 18.2 Navigating the SMT Interface The SMT(System Management Terminal) is the interface that you use to configure your Prestige.
Page 203: Table 63 Main Menu Commands
Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Table 63 Main Menu Commands OPERATION KEYSTROKE Move down to [ENTER] another menu Move up to a [ESC] previous menu Move to a “hidden”...
Page 204: System Management Terminal Interface Summary
Prestige 334 User’s Guide Figure 89 SMT Main Menu Copyright (c) 1994 - 2004 ZyXEL Communications Corp. Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 15.
Page 205: Changing The System Password
18.3 Changing the System Password Change the Prestige default password by following the steps shown next. 1 Enter 23.1 in the main menu to display Menu 23.1 - System Security - Change Password. 2 Type your existing system password in the Old Password field, for example “1234”, and press [ENTER] Figure 90 Menu 23 System Password Menu 23.1 - System Security - Change Password...
Page 206 Prestige 334 User’s Guide Chapter 18 Introducing the SMT...
Page 207: Chapter 19 Menu 1 General Setup
Menu 1 - General Setup contains administrative and system-related information. 19.1 General Setup Menu 1 — General Setup contains administrative and system-related information (shown next). The System Name field is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name". In Windows 95/98 click Start, Settings, Control Panel, Network.
Page 208: Figure 91 Menu 1 General Setup
Prestige 334 User’s Guide Figure 91 Menu 1 General Setup. Menu 1 - General Setup Press ENTER to Confirm or ESC to Cancel: 2 Fill in the required fields. Refer to the table shown next for more information about these fields.
Page 209: Procedure To Configure Dynamic Dns
19.2.1 Procedure to Configure Dynamic DNS To configure Dynamic DNS, go to Menu 1 — General Setup and select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS as shown next. Figure 92 Menu 1.1 Configure Dynamic DNS Menu 1.1 - Configure Dynamic DNS Press ENTER to Confirm or ESC to Cancel: Follow the instructions in the next table to configure Dynamic DNS parameters.
Page 210 Prestige 334 User’s Guide Table 66 Menu 1.1 Configure Dynamic DNS FIELD DESCRIPTION Offline This field is only available when CustomDNS is selected in the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes. When Yes is selected, /www.dyndns.org/ (see Edit Update IP Address:...
Page 211: Chapter 20 Menu 2 Wan Setup
This chapter describes how to configure the WAN using menu 2. 20.1 Introduction to WAN This chapter explains how to configure settings for your WAN port. 20.2 WAN Setup From the main menu, enter 2 to open menu 2. Figure 93 Menu 2 WAN Setu Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Page 212 Prestige 334 User’s Guide Chapter 20 Menu 2 WAN Setup...
Page 213: Chapter 21 Menu 3 Lan Setup
This chapter covers how to configure your wired Local Area Network (LAN) settings. 21.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 — LAN Setup. From the main menu, enter 3 to display menu 3. Figure 94 Menu 3 LAN Setup Enter Menu Selection Number: 21.1.1 General Ethernet Setup...
Page 214: Protocol Dependent Ethernet Setup
Prestige 334 User’s Guide 21.2 Protocol Dependent Ethernet Setup Depending on the protocols for your applications, you need to configure the respective Ethernet Setup, as outlined below. • For TCP/IP Ethernet setup refer to the Internet Access Application chapter. • For bridging Ethernet setup refer to the Bridging Setup chapter. 21.3 TCP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your Prestige for TCP/IP.
Page 215: Table 69 Menu 3.2: Lan Tcp/Ip Setup Fields
Table 68 DHCP Ethernet Setup Fields FIELD DESCRIPTION Size of Client IP This field specifies the size, or count of the IP address pool. Pool The Prestige passes a DNS (Domain Name System) server IP address (in the order First DNS Server you specify here) to the DHCP clients.
Page 216: Ip Alias Setup
Prestige 334 User’s Guide 21.3.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network. Figure 97 Physical Network &...
Page 217 Table 70 Menu 3.2.1: IP Alias Setup FIELD DESCRIPTION IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the Prestige. RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction.
Page 218 Prestige 334 User’s Guide Chapter 21 Menu 3 LAN Setup...
Page 219: Chapter 22 Internet Access
This chapter shows you how to configure your Prestige for Internet access 22.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your Prestige to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation.
Page 220: Figure 99 Menu 4 Internet Access Setup
Prestige 334 User’s Guide Figure 99 Menu 4 Internet Access Setup ISP's Name= MyISP Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only...
Page 221: Configuring The Pptp Client
Table 71 Internet Access Setup (Ethernet Gateway IP Address Network Address Translation When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. 22.3 Configuring the PPTP Client To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 222: Configuring The Pppoe Client
Prestige 334 User’s Guide Figure 100 Internet Access Setup (PPTP) Menu 4 - Internet Access Setup Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPTP in the Encapsulation field in menu 4. Table 72 New Fields in Menu 4 (PPTP) Screen FIELD DESCRIPTION...
Page 223: Basic Setup Complete
Figure 101 Internet Access Setup (PPPoE) ISP's Name= MyISP Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPPoE in the...
Page 224 Prestige 334 User’s Guide Chapter 22 Internet Access...
Page 225: Remote Node Configuration
Remote Node Configuration This chapter covers remote node configuration. 23.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node.
Page 226: Figure 102 Menu 11.1 Remote Node Profile For Ethernet Encapsulation
Prestige 334 User’s Guide Figure 102 Menu 11.1 Remote Node Profile for Ethernet Encapsulation Rem Node Name= MyISP Active= Yes Encapsulation= Ethernet Service Type= Standard Service Name= N/A Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Relogin Every (min)= The following table describes the fields in this menu.
Page 227: Pppoe Encapsulation
Table 74 Menu 11.1 Remote Node Profile for Ethernet Encapsulation FIELD DESCRIPTION Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3 - Remote Node Network Layer Options. Session Options Edit Filter Sets This field leads to another “hidden”...
Page 228: Nailed-Up Connection
Prestige 334 User’s Guide 23.2.2.2 Nailed-Up Connection A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The Prestige does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the Prestige will try to bring up the connection when turned on and whenever the connection is down.
Page 229: Edit Ip
Figure 104 Menu 11.1 Remote Node Profile for PPTP Encapsulation Rem Node Name= MyISP Active= Yes Encapsulation= PPTP Service Type= Standard Service Name= N/A Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP: My IP Addr= My IP Mask= Server IP Addr= Connection ID/Name=...
Page 230: Figure 105 Menu 11.3 Remote Node Network Layer Options For Ethernet Encapsulation
Prestige 334 User’s Guide Figure 105 Menu 11.3 Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.3 - Remote Node Network Layer Options Enter here to CONFIRM or ESC to CANCEL: This menu displays the My WAN Addr field for PPPoE and PPTP encapsulations and Gateway IP Addr field for Ethernet encapsulation.
Page 231: Remote Node Filter
Table 77 Remote Node Network Layer Options FIELD DESCRIPTION Metric Enter a number from 1 to 15 to set this route’s priority among the Prestige’s routes (see the Metric section in the WAN and Dial Backup Setup chapter) The smaller the number, the higher priority the route has.
Page 232: Traffic Redirect Setup
Prestige 334 User’s Guide Figure 106 Menu 11.5: Remote Node Filter (Ethernet Encapsulation) Menu 11.5 - Remote Node Filter Enter here to CONFIRM or ESC to CANCEL: Figure 107 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.5 - Remote Node Filter Enter here to CONFIRM or ESC to CANCEL: 23.4.1 Traffic Redirect Setup Configure parameters that determine when the Prestige will forward WAN traffic to the...
Page 233: Figure 108 Menu 11.6: Traffic Redirect Setup
Figure 108 Menu 11.6: Traffic Redirect Setup Active= Yes Configuration: Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 78 Menu 11.6: Traffic Redirect Setup FIELD DESCRIPTION Active Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup.
Page 234 Prestige 334 User’s Guide Chapter 23 Remote Node Configuration...
Page 235: Chapter 24 Static Route Setup
This chapter shows how to setup IP static routes. 24.1 IP Static Route Setup To configure an IP static route, use Menu 12 – Static Routing Setup (shown next). Figure 109 Menu 12 IP Static Route Setup Menu 12 - IP Static Route Setup Enter selection number: Now, type the route number of a static route you want to configure.
Page 236: Figure 110 Menu12.1 Edit Ip Static Route
Prestige 334 User’s Guide Figure 110 Menu12.1 Edit IP Static Route Menu 12.1 - Edit IP Static Route Press ENTER to Confirm or ESC to Cancel: The following table describes the fields for Menu 12.1 – Edit IP Static Route Setup. Table 79 Menu12.1 Edit IP Static Route FIELD Route #...
Page 237: Network Address Translation (Nat)
Network Address Translation This chapter discusses how to configure NAT on the Prestige. 25.1 Using NAT 25.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See section Address Mapping Sets for a detailed description of the NAT set for SUA.
Page 238: Figure 111 Menu 4 Applying Nat For Internet Access
Prestige 334 User’s Guide Figure 111 Menu 4 Applying NAT for Internet Access ISP's Name= MyISP Encapsulation= Ethernet IP Address Assignment= Dynamic Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to the remote node in menu 11.1. 1 Enter 11 from the main menu.
Page 239: Nat Setup
Figure 112 Menu 11.3 Applying NAT to the Remote Node Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 1 Private= N/A RIP Direction= None Version= N/A...
Page 240: Address Mapping Sets
Prestige 334 User’s Guide Figure 113 Menu 15 NAT Setup Menu 15 - NAT Setup Enter Menu Selection Number: 25.3.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 — Address Mapping Sets. Figure 114 Menu 15.1 Address Mapping Sets Enter 255 to display the next screen (see The fields in this menu cannot be changed.
Page 241: User-Defined Address Mapping Sets
Figure 115 Menu 15.1.255 SUA Address Mapping Rules Set Name= SUA Local Start IP Local End IP -------------- --------------- --------------- --------------- ------ 0.0.0.0 The following table explains the fields in this menu. Table 81 SUA Address Mapping Rules FIELD Set Name Local Start IP Local End IP Global Start IP...
Page 242: Ordering Your Rules
Prestige 334 User’s Guide Figure 116 Menu 15.1.1 First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP --------------- -------------- --------------- --------------- 25.3.1.2 Ordering Your Rules Ordering your rules is important because the Prestige applies the rules in the order that you specify.
Page 243: Table 82 Menu 15.1.1 First Set
Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6. Table 82 Menu 15.1.1 First Set FIELD DESCRIPTION Set Name...
Page 244: Configuring A Server Behind Nat
Prestige 334 User’s Guide Figure 117 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set Menu 15.1.1.1 Address Mapping Rule Press ENTER to Confirm or ESC to Cancel: The following table explains the fields in this menu. Table 83 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type...
Page 245: General Nat Examples
Figure 118 Menu 15.2.1 NAT Server Setup Menu 15.2 - NAT Server Setup Rule Start Port No. --------------------------------------------------- Default Press ENTER to Confirm or ESC to Cancel: 3 Enter a port number in an unused Start Port No field. To forward only one port, enter it again in the End Port No field.
Page 246: Example 1: Internet Access Only
Prestige 334 User’s Guide 25.5.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where the ILAs (Inside Local Addresses) of computers A through D map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Page 247: Example 3: Multiple Public Ip Addresses With Inside Servers
Figure 122 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure. Figure 123 Menu 15.2.1 Specifying an Inside Server Rule Start Port No.
Page 248: Figure 124 Nat Example 3
Prestige 334 User’s Guide 4 You also map your third IGA to the web server and mail server on the LAN. Type Server allows you to specify multiple servers, of different types, to other computers behind NAT on the LAN. The example situation looks somewhat like this: Figure 124 NAT Example 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address...
Page 249: Figure 125 Nat Example 3: Menu 11.3
Figure 125 NAT Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options Enter here to CONFIRM or ESC to CANCEL: The following figures show how to configure the first rule. Chapter 25 Network Address Translation (NAT) IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A...
Page 250: Figure 126 Example 3: Menu 15.1.1.1
Prestige 334 User’s Guide Figure 126 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 127 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP --------------- -------------- --------------- --------------- ------...
Page 251: Example 4: Nat Unfriendly Application Programs
Figure 128 Example 3: Menu 15.2 Menu 15.2 - NAT Server Setup Rule Start Port No. --------------------------------------------------- Press ENTER to Confirm or ESC to Cancel: HTTP:80 FTP:21 Telnet:23 SMTP:25 POP3:110 PPTP:1723 25.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to-Many No Overload (and One-to-One) NAT mapping types.
Page 252: Figure 129 Nat Example 4
Prestige 334 User’s Guide Figure 129 NAT Example 4 Follow the steps outlined in example 3 to configure these two menus as follows Figure 130 Example 4: Menu 15.1.1.1 Address Mapping Rule. Menu 15.1.1.1 Address Mapping Rule Press ENTER to Confirm or ESC to Cancel: After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
Page 253: Configuring Trigger Port Forwarding
Figure 131 Example 4: Menu 15.1.1 Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Local Start IP Local End IP -------------- -------------- --------------- --------------- ------ 192.168.1.10 25.6 Configuring Trigger Port Forwarding Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown next. Chapter 25 Network Address Translation (NAT) Global Start IP Global End IP 192.168.1.12...
Page 254: Figure 132 Menu 15.3 Trigger Port Setup
Prestige 334 User’s Guide Figure 132 Menu 15.3 Trigger Port Setup Menu 15.3 - Trigger Port Setup Rule Name ---------------------------------------------------------------------- Real Audio The following table describes the fields in this screen. Table 84 Menu 15.3 Trigger Port Setup FIELD DESCRIPTION Rule This is the rule index number.
Page 255: Chapter 26 Enabling The Firewall
This chapter shows you how to get started with the Prestige firewall. 26.1 Remote Management and the Firewall When SMT menu 24.11 is configured to allow management (see the Remote Management chapter) and the firewall is enabled: • The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it.
Page 256: Figure 133 Menu 21.2 Firewall Setup
Prestige 334 User’s Guide Figure 133 Menu 21.2 Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies.
Page 257: Chapter 27 Filter Configuration
This chapter shows you how to create and apply filters. 27.1 Introduction to Filters Your Prestige uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
Page 258: The Filter Structure Of The Prestige
Prestige 334 User’s Guide 27.1.1 The Filter Structure of the Prestige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The Prestige allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 259: Configuring A Filter Set
Figure 135 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 260: Figure 136 Menu 21: Filter And Firewall Setup
Prestige 334 User’s Guide Figure 136 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup Enter Menu Selection Number: 2 Enter 1 to bring up the following menu. Figure 137 Menu 21.1: Filter Set Configuration Filter Set # ------ -----------------...
Page 261: Configuring A Filter Rule
Table 85 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Action Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N“ means to check the next rule. Action Not Matched “F”...
Page 262: Figure 138 Menu 21.1.1.1 Tcp/Ip Filter Rule
Prestige 334 User’s Guide To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next Figure 138 Menu 21.1.1.1 TCP/IP Filter Rule. The following table describes how to configure your TCP/IP filter rule. Table 87 TCP/IP Filter Rule FIELD DESCRIPTION...
Page 263 Table 87 TCP/IP Filter Rule FIELD DESCRIPTION Source IP Address Enter the source IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Source: IP Addr. Port # Enter the source port of the packets that you wish to filter.
Page 264: Configuring A Generic Filter Rule
Prestige 334 User’s Guide Figure 139 Executing an IP Filter 27.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 265: Figure 140 Menu 21.1.4.1 Generic Filter Rule
Figure 140 Menu 21.1.4.1 Generic Filter Rule The following table describes the fields in the Generic Filter Rule menu. Table 88 Generic Filter Rule Menu Fields FIELD DESCRIPTION Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set.
Page 266: Example Filter
Prestige 334 User’s Guide Table 88 Generic Filter Rule Menu Fields FIELD DESCRIPTION Action Select the action for a packet matching the rule. Matched Action Not Select the action for a packet not matching the rule. Matched Once you have completed filling in Menu 21.4.1.1 - Generic Filter Rule, press [ENTER] at the message “Press ENTER to Confirm”...
Page 267: Figure 142 Example Filter: Menu 21.1.3.1
Figure 142 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. • Select Yes from the Active field to activate this rule. • 6 is the TCP IP Protocol. •...
Page 268: Filter Types And Nat
Prestige 334 User’s Guide Figure 143 Example Filter Rules Summary: Menu 21.1.3 # A Type - - ---- --------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23).
Page 269: Firewall Versus Filters
Figure 144 Protocol and Device Filter Sets 27.5 Firewall Versus Filters Firewall configuration is discussed in the firewall chapters of this manual. Further comparisons are also made between filtering, NAT and the firewall. 27.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The Prestige already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections 27.6.1 Applying LAN Filters...
Page 270: Applying Remote Node Filters
Prestige 334 User’s Guide Figure 145 Filtering LAN Traffic Menu 3.1 - LAN Port Filter Setup Press ENTER to Confirm or ESC to Cancel: 27.6.2 Applying Remote Node Filters Go to menu 11.5 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate.
Page 271: Chapter 28 Snmp Configuration
This chapter explains SNMP Configuration menu 22. 28.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Page 272: Supported Mibs
Prestige 334 User’s Guide The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include the number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects.
Page 273: Snmp Traps
Figure 148 Menu 22 SNMP Configuration Menu 22 - SNMP Configuration Press ENTER to Confirm or ESC to Cancel: The following table describes the SNMP configuration parameters. Table 89 Menu 22 SNMP Configuration FIELD DESCRIPTION SNMP: Get Community Type the Get Community, which is the password for the incoming Get- and GetNext requests from the management station.
Page 274: Table 91 Ports And Permanent Virtual Circuits
Prestige 334 User’s Guide Table 90 SNMP Traps TRAP # TRAP NAME linkUp (defined in RFC-1215) authenticationFailure (defined in RFC-1215) whyReboot (defined in ZYXEL-MIB) A trap is sent with the reason of restart before For intentional reboot : The port number is its interface index under the interface group. Table 91 Ports and Permanent Virtual Circuits PVC (PERMANENT PORT...
Page 275: System Information And Diagnosis
System Information and This chapter covers the information and diagnostic tools in SMT menus 24.1 to 24.4. These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Type 24 in the main menu to open Menu 24 –...
Page 276: Figure 150 Menu 24.1 System Maintenance : Status
Prestige 334 User’s Guide Figure 150 Menu 24.1 System Maintenance : Status Port Status Down 100M/Full Port Ethernet Address 00:A0:C5:01:23:46 00:A0:C5:01:23:45 System up Time: Name: P334 Routing: IP ZyNOS F/W Version: V3.60(JJ.3)b1 | 08/20/2004 COMMANDS: 1-Drop WAN 9-Reset Counters The following table describes the fields present in Menu 24.1 — System Maintenance — Status.
Page 277: System Information
Table 92 System Maintenance: Status Menu Fields FIELD ZyNOS F/W Version The ZyNOS Firmware version and the date created. You may enter 1 to drop the WAN connection, 9 to reset the counters or [ESC] to return to menu 24. 29.2 System Information To get to the System Information: 1 Enter 24 to display Menu 24 —...
Page 278: Console Port Speed
Displays the system name of your Prestige. This information can be changed in Menu 1 – General Setup. Refers to the routing protocol used. Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation. Chapter 29 System Information and Diagnosis...
Page 279: Log And Trace
Figure 153 Menu 24.2.2 System Maintenance : Change Console Port Speed Menu 24.2.2 – System Maintenance – Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel: 29.3 Log and Trace There are two logging facilities in the Prestige. The first is the error logs and trace records that are stored locally.
Page 280: Cdr
Prestige 334 User’s Guide 29.3.1.1 CDR CDR Message Format SdcmdSyslogSend ( SYSLOG_CDR, SYSLOG_INFO, String); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No.
Page 281: Filter Log
29.3.1.3 Filter log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol (“TCP”,”UDP”,”ICMP”) spo: Source port...
Page 282: Firewall Log
Prestige 334 User’s Guide 29.3.1.5 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”)
Page 283: Diagnostic
Figure 155 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number...
Page 284: Wan Dhcp
Prestige 334 User’s Guide Figure 156 Menu 24.4 System Maintenance : Diagnostic Menu 24.4 - System Maintenance - Diagnostic 29.4.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in LAN & WAN DHCP. LAN DHCP has already been discussed. The Prestige can act either as a WAN DHCP client (IP Address Assignment field in menu 4 or menu 11.3 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet) or None, (when you have a static IP).
Page 285 Table 95 System Maintenance Menu Diagnostic FIELD WAN DHCP Renewal Internet Setup Test Reboot System Host IP Address= Enter the number of the selection you would like to perform or press [ESC] to cancel. Chapter 29 System Information and Diagnosis DESCRIPTION Enter 3 to renew your WAN DHCP settings.
Page 286 Prestige 334 User’s Guide Chapter 29 System Information and Diagnosis...
Page 287: Firmware And Configuration File Maintenance
Firmware and Configuration File This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files. 30.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
Page 288: Backup Configuration
Prestige 334 User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the Prestige and the external filename refers to the filename not on the Prestige, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 –...
Page 289: Using The Ftp Command From The Command Line
Figure 158 Telnet in Menu 24.5 Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Prestige. Then type "root" and SMT password as requested.
Page 290: Example Of Ftp Commands From The Command Line
Prestige 334 User’s Guide 30.2.3 Example of FTP Commands from the Command Line Figure 159 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 291: Backup Configuration Using Tftp
30.2.6 Backup Configuration Using TFTP The Prestige supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended. To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next.
Page 292: Gui-Based Tftp Clients
Prestige 334 User’s Guide 30.2.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 98 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the Prestige. 192.168.1.1 is the Prestige’s default IP address when shipped.
Page 293: Figure 160 Telnet Into Menu 24.6
Figure 160 Telnet into Menu 24.6. Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Prestige. Then type "root" and SMT password as requested.
Page 294: Restore Using Ftp Session Example
Prestige 334 User’s Guide 30.3.2 Restore Using FTP Session Example Figure 161 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Page 295: Configuration File Upload
Figure 162 Telnet Into Menu 24.7.1 Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
Page 296: Ftp Session Example Of Firmware File Upload
Prestige 334 User’s Guide 4 Enter your password as requested (the default is “1234”). 5 Enter “bin” to set transfer mode to binary. 6 Use “put” to transfer files from the computer to the Prestige, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the Prestige and renames it “ras”.
Page 297: Tftp Upload Command Example
3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete. 4 Launch the TFTP client on your computer and connect to the Prestige. Set the transfer mode to binary before starting data transfer.
Page 298 Prestige 334 User’s Guide Chapter 30 Firmware and Configuration File Maintenance...
Page 299: Chapter 31 System Maintenance
This chapter leads you through SMT menus 24.8 to 24.10. 31.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main system firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions.
Page 300: Command Usage
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 166 Valid Commands Copyright (c) 1994 - 2004 ZyXEL Communications Corp. P334> ? Valid commands are:...
Page 301: Call History
Figure 168 Budget Management Remote Node 1.MyISP The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
Page 302: Time And Date Setting
Prestige 334 User’s Guide Figure 169 Menu 24.9.2 - Call History Phone Number The following table describes the fields in this menu. Table 100 Call History Fields FIELD DESCRIPTION Phone Number The PPPoE service names are shown here. This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call.
Page 303: Figure 170 Menu 24: System Maintenance
Figure 170 Menu 24: System Maintenance Menu 24 - System Maintenance 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your Prestige as shown in the following screen.
Page 304: Figure 171 Menu 24.10 System Maintenance: Time And Date Setting
Prestige 334 User’s Guide Figure 171 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= time-b.nist.gov Current Time: New Time (hh:mm:ss): Current Date: New Date (yyyy-mm-dd): Time Zone= GMT Daylight Saving= No Start Date (mm-dd):...
Page 305: Resetting The Time
Table 101 Time and Date Setting Fields FIELD DESCRIPTION End Date Enter the month and day that your daylight-savings time ends on if you selected Yes in the Daylight Saving field. Once you have filled in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel“...
Page 306 Prestige 334 User’s Guide Chapter 31 System Maintenance...
Page 307: Chapter 32 Remote Management
32.1 Remote Management Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. You may manage your Prestige from a remote location via: • Internet (WAN only) • LAN only To disable remote management of a service, select Disable in the corresponding Server Access field.
Page 308: Remote Management Limitations
Prestige 334 User’s Guide Figure 172 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: FTP Server: Web Server: SNMP Service: DNS Service: The following table describes the fields in this screen. Table 102 Menu 24.11 – Remote Management Control FIELD DESCRIPTION Telnet Server...
Page 309 3 The IP address in the Secure Client IP field (menu 24.11) does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately. 4 There is an SMT console session running. 5 There is already another remote management session with an equal or higher priority running.
Page 311: Chapter 33 Call Scheduling
Call scheduling (applicable for PPPoA or PPPoE encapsulation only) allows you to dictate when a remote node should be called and for how long. 33.1 Introduction to Call Scheduling The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long.
Page 312: Figure 174 Menu 26.1 Schedule Set Setup
Prestige 334 User’s Guide You can design up to 12 schedule sets but you can only apply up to four schedule sets for a remote node. To setup a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 —...
Page 313: Figure 175 Applying Schedule Set(S) To A Remote Node (Pppoe)
Table 103 Menu 26.1 Schedule Set Setup FIELD DESCRIPTION Start Time Enter the start time when you wish the schedule set to take effect in hour-minute format. Duration Enter the maximum length of time this connection is allowed in hour-minute format. Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field.
Page 314 Prestige 334 User’s Guide Chapter 33 Call Scheduling...
Page 315: Chapter 34 Vpn/Ipsec Setup
This chapter introduces the VPN SMT menus. 34.1 VPN/IPSec Overview The VPN/IPSec main SMT menu has these main submenus: 1 Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management. 2 Menu 27.2 - SA Monitor allows you to manage (refresh or disconnect) your SA connections.
Page 316: Ipsec Summary Screen
Prestige 334 User’s Guide Figure 177 Menu 27 VPN/IPSec Setup Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor Enter Menu Selection Number: 34.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels).
Page 317 Table 104 Menu 27.1 IPSec Summary FIELD Local Addr When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single, this is a Start static IP address on the LAN behind your Prestige. When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Range, this is the beginning (static) IP address, in a range of computers on the LAN behind your Pres- tige.
Page 318 Prestige 334 User’s Guide Table 104 Menu 27.1 IPSec Summary FIELD Remote Addr When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single, this is the same (static) IP address as in the Remote Addr Start field. When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Range, this is the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 319: Figure 179 Menu 27.1.1 Ipsec Setup
Figure 179 Menu 27.1.1 IPSec Setup Index= 1 Active= Yes Local ID type My IP Addr= 0.0.0.0 Peer ID type= IP Secure Gateway Address= zw50test.zyxel.com.tw Protocol= 0 Local: Addr Type= SINGLE Local IP Addr= 1.1.1.1 Port Start= 0 Addr Type= SUBNET Remote: IP Addr Start= 4.4.4.4 Port Start= 0...
Page 320 Prestige 334 User’s Guide Table 105 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION Content When you select IP in the Local ID Type field, type the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address. When you select DNS in the Local ID Type field, type a domain name (up to 31 char- acters) by which to identify this Prestige.
Page 321 Table 105 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. You cannot create a VPN tunnel if you try to connect using a port number that does not match this port number or range of port numbers.
Page 322: Ike Setup
Prestige 334 User’s Guide Table 105 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Service Detection (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to pro- tect against replay attacks.
Page 323: Figure 180 Menu 27.1.1.1 Ike Setup
Figure 180 Menu 27.1.1.1 IKE Setup Press Space Bar to Toggle. The following table describes the fields in this menu. Table 106 Menu 27.1.1.1 IKE Setup FIELD DESCRIPTION Phase 1 Negotiation Press [SPACE BAR] to choose from Main or Aggressive and then press [ENTER]. Mode See earlier for a discussion of these modes.
Page 324: Manual Setup
Prestige 334 User’s Guide Table 106 Menu 27.1.1.1 IKE Setup FIELD DESCRIPTION Authentication MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms Algorithm used to authenticate packet data. The SHA1 algorithm is generally considered stron- ger than MD5, but is slightly slower. Press [SPACE BAR] to choose from SHA1 or MD5 and then press [ENTER].
Page 325: Active Protocol
34.4.0.1 Active Protocol This field is a combination of mode and security protocols used for the VPN. See the Web Configurator part on VPN for more information on these parameters. Table 107 Active Protocol: Encapsulation and Security Protocol MODE Tunnel Transport 34.4.0.2 Security Parameter Index (SPI) To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.1 –...
Page 326 Prestige 334 User’s Guide Table 108 Menu 27.1.1.2 Manual Setup FIELD DESCRIPTION Encryption Press [SPACE BAR] to choose from NULL, 3DES or DES and then press [ENTER]. Algorithm Fill in the Key1 field below when you choose DES and fill in fields Key1 to Key3 when you choose 3DES.
Page 327: Chapter 35 Sa Monitor
This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 35.1 SA Monitor Overview A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections. 35.2 Using SA Monitor 1.
Page 328: Figure 182 Menu 27.2 Sa Monitor
Prestige 334 User’s Guide Figure 182 Menu 27.2 SA Monitor Name -------------------------------- Taiwan : 3.3.3.1 – 3.3.3.3.100 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 109 Menu 27.2 SA Monitor FIELD DESCRIPTION This is the security association index number.
Page 329: Appendix A Troubleshooting
This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. Table 110 Troubleshooting PROBLEM None of the LEDs turn on when you turn on the Prestige.
Page 330: Problems With The Password
Prestige 334 User’s Guide Table 110 Troubleshooting PROBLEM Access to a web page with a URL containing a forbidden keyword is not blocked. Parental Control is configured correctly, but I can still access restricted web pages. 35.3 Problems with the Password Table 111 Troubleshooting the Password PROBLEM Cannot access the...
Page 331: Appendix Bpppoe
PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN.
Page 332: Figure 183 Single-Computer Per Router Hardware Configuration
Prestige 334 User’s Guide Figure 183 Single-Computer per Router Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC).
Page 333: Figure 185 Transport Ppp Frames Over Ethernet
What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a computer to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the computer and the modem over Ethernet.
Page 334: Figure 186 Pptp Protocol Overview
Prestige 334 User’s Guide PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel.
Page 335: Appendix Cpptp
Figure 187 Example Message Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 336 Prestige 334 User’s Guide Appendix C PPTP...
Page 337: Netbios Filter Commands
The following describes the NetBIOS packet filter commands. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. You can configure NetBIOS filters to do the following : •...
Page 338: Table 113 Netbios Filter Default Settings
Prestige 334 User’s Guide The filter types and their default settings are as follows. Table 113 NetBIOS Filter Default Settings NAME DESCRIPTION This field displays whether NetBIOS packets are blocked or forwarded Between LAN between the LAN and the WAN. and WAN This field displays whether NetBIOS packets sent through a VPN IPSec...
Page 339: Appendix E Log Descriptions
Configure centralized logs using the embedded web configurator; see online help for details. This appendix provides descriptions of example log messages. Table 114 System Error logs LOG MESSAGE %s exceeds the max. number of session per host! Table 115 System Maintenance Logs LOG MESSAGE Time calibration is successful...
Page 340: Table 116 Upnp Logs
Prestige 334 User’s Guide Table 116 UPnP Logs LOG MESSAGE UPnP pass through Firewall Table 117 ICMP Type and Code Explanations TYPE CODE DESCRIPTION UPnP packets can pass through the firewall. DESCRIPTION Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable...
Page 341 Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 342: Figure 188 Windows 95/98/Me: Network: Configuration
Prestige 334 User’s Guide Figure 188 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 343: Setting Up Your Computer's Ip Address
3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
Page 344: Figure 190 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
Prestige 334 User’s Guide Figure 190 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • • 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your Prestige and restart your computer when prompted.
Page 345: Figure 191 Windows Xp: Start Menu
Figure 191 Windows XP: Start Menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 192 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. Appendix F Setting up Your Computer’s IP Address Prestige 334 User’s Guide...
Page 346: Figure 193 Windows Xp: Control Panel: Network Connections: Properties
Prestige 334 User’s Guide Figure 193 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 194 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 347: Figure 195 Windows Xp: Advanced Tcp/Ip Settings
• Figure 195 Windows XP: Advanced TCP/IP Settings 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 348: Figure 196 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Prestige 334 User’s Guide 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • • Figure 196 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click OK to close the Local Area Connection Properties window. 10Turn on your Prestige and restart your computer (if prompted).
Page 349: Figure 197 Macintosh Os 8/9: Apple Menu
Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Figure 197 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Appendix F Setting up Your Computer’s IP Address Prestige 334 User’s Guide...
Page 350: Figure 198 Macintosh Os 8/9: Tcp/Ip
Prestige 334 User’s Guide Figure 198 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • • • • 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration.
Page 351: Figure 200 Macintosh Os X: Network
• • 3 For dynamically assigned settings, select Using DHCP from the Configure list. Figure 200 Macintosh OS X: Network 4 For statically assigned settings, do the following: • • • • 5 Click Apply Now and close the window. 6 Turn on your Prestige and restart your computer (if prompted).
Page 352 Prestige 334 User’s Guide Appendix F Setting up Your Computer’s IP Address...
Page 353: Table 118 Brute-Force Password Guessing Protection Commands
Brute-Force Password Guessing The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. Table 118 Brute-Force Password Guessing Protection Commands COMMAND DESCRIPTION sys pwderrtm This command displays the brute-force guessing password protection settings. sys pwderrtm 0 This command turns off the password’s protection from brute-force guessing.
Page 354: Brute-Force Password Guessing Protection
Prestige 334 User’s Guide Appendix G Brute-Force Password Guessing Protection...
Page 355: Figure 201 Enable Tmss
This appendix discusses Trend Micro Security Services setup and access. Please see your TMSS user guide for more information. Note: Make sure that you have not restricted access to ActiveX, Cookies or Web Proxy features in the Advanced Firewall Filter screen.
Page 356: Figure 202 Tmss Welcome Screen
Prestige 334 User’s Guide Figure 202 TMSS Welcome Screen 7 Click Continue>> to proceed to download ActiveX control. Figure 203 Download ActiveX Control 8 Select Yes to install and run ActiveX control. 9 Once the installation is complete the Home Network Security Services dashboard appears.
Page 357: Tmss
Prestige 334 User’s Guide Figure 204 Home Network Security Services Dashboard 10 See the Trend Micro User’s Guide for information on TMSS. Appendix H TMSS...
Page 358 Prestige 334 User’s Guide Appendix H TMSS...
Page 359: Figure 205 Ideal Setup
The Ideal Setup When the firewall is on, your Prestige acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Prestige to protect your LAN against attacks. Figure 205 Ideal Setup The “Triangle Route”...
Page 360: Figure 206 "Triangle Route" Problem
Prestige 334 User’s Guide Figure 206 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface.
Page 361: Triangle Route
Figure 207 IP Alias Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your Prestige to your LAN.
Page 362 Prestige 334 User’s Guide Appendix I Triangle Route...
Page 363 Active ActiveX Allocated Budget AT command Authen Authentication Protocol Backup 196, 287 Budget Management 299, 300 Call Control Call History Call Scheduling Maximum Number of Schedule Sets PPPoE Precedence Precedence Example Call-Trigerring Packet CDR (Call Detail Record) Command Interpreter Mode Community Computer Name Conditions that prevent TFTP and FTP from working...
Page 364 Prestige 334 User’s Guide 58, 64, 90, 91, 92, 138, 142, 307 FTP File Transfer FTP Restrictions 138, 289, 307 FTP Server Gateway Gateway IP Addr Gateway IP Address General Setup Global Hidden Menus Hop Count Host HTTP 92, 320 Idle Timeout IGMP 65, 66...
Page 365 One to One Outside Password 60, 200, 204, 219, 271 Period(hr) Ping Point-to-Point Tunneling Protocol 77, 92 POP3 Port Numbers PPPoE PPPoE Encapsulation 222, 224, 227 PPTP Private 104, 230, 235 Related Documentation Rem Node Name Remote Management Firewall Remote Management and NAT Remote Management Limitations 138, 307 Remote Node Filter...
Page 366 Prestige 334 User’s Guide Trace Records Traffic Redirect 82, 83 Trigger Port Forwarding Process Universal Plug and Play (UPnP) UNIX Syslog Upload Firmware URL Keyword Blocking Use Server Detected IP User Name 59, 208 User Specified IP Addr WAN DHCP 283, 284 WAN Setup Web Configurator...

This manual is also suitable for:

Prestige 334

ZyXEL Communications Wireless Router P-334 User Manual

Chapter 1 Getting to Know Your Prestige

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 System Screens

Chapter 5 LAN Screens

Chapter 6 WAN Screens

Chapter 7 Network Address Translation (NAT) Screens

Chapter 8 Static Route Screens

Chapter 9 Upnp

Chapter 10 Trend Micro Security Services

Chapter 11 Firewall

Chapter 12 Content Filtering

Chapter 13 Remote Management Screens

Chapter 14 Introduction to Ipsec

Chapter 15 VPN Screens

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications Wireless Router P-334

Summary of Contents for ZyXEL Communications Wireless Router P-334